diff --git a/website/source/guides/acl.html.markdown b/website/source/guides/acl.html.markdown index 5e53a7339..f46e47a6d 100644 --- a/website/source/guides/acl.html.markdown +++ b/website/source/guides/acl.html.markdown @@ -45,10 +45,10 @@ The following table summarizes the ACL Rules that are available for constructing | Policy | Scope | | ---------- | -------------------------------------------- | -| namespace | Job related operations by namespace | -| agent | Utility operations in the Agent API | -| node | Node-level catalog operations | -| operator | Cluster-level operations in the Operator API | +| [namespace](#namespace-rules) | Job related operations by namespace | +| [agent](#agent-rules) | Utility operations in the Agent API | +| [node](#node-rules) | Node-level catalog operations | +| [operator](#operator-rules) | Cluster-level operations in the Operator API | Constructing rules from these policies is covered in detail in the Rule Specification section below. @@ -62,9 +62,248 @@ Global ACL tokens are used to allow cross region requests. Standard ACL tokens a # Configuring ACLs +ACLs are not enabled by default, and must be enabled. Clients and Servers need to set `enabled` in the [`acl` stanza](/docs/agent/configuration/acl.html). This enables the [ACL Policy](/api/acl-policies.html) and [ACL Token](/api/acl-tokens.html) APIs, as well as endpoint enforcement. + +For multi-region configurations, all servers must be configured to use a single [authoritative region](/docs/agent/configuration/server.html#authoritative_region). The authoritative region is responsible for managing ACL policies and global tokens. Servers in other regions will replicate policies and global tokens to act as a mirror, and must have their [`replication_token`](/docs/agent/configuration/acl.html#replication_token) configured. + # Bootstrapping ACLs +Bootstrapping ACLs on a new cluster requires a few steps, outlined below: + +### Enable ACLs on Nomad Servers + +The APIs needed to manage policies and tokens are not enabled until ACLs are enabled. To begin, we need to enable the ACLs on the servers. If a multi-region setup is used, the authoritiative region should be enabled first. For each server: + +1. Set `enabled = true` in the [`acl` stanza](/docs/agent/configuration/acl.html). +1. Set `authoritative_region` in the [`server` stanza](/docs/agent/configuration/server.html). +1. For servers outside the authoritative region, set `replication_token` in the [`acl` stanza](/docs/agent/configuration/acl.html). +1. Restarting the Nomad server to pick the new configuration. + +Please take care to restart the servers one at a time, and ensure each server has joined and is operating correctly before restarting another. + +### Generate the initial token + +Once the ACL system is enabled, we need to generate our initial token. This first token is used to bootstrap the system and care should be taken not to lose it. Once the ACL system is enabled, we use the [Bootstrap API](/api/acl-tokens.html#bootstrap-token): + +```text +$ curl \ + --request POST \ + https://nomad.rocks/v1/acl/bootstrap?pretty=true + +{ + "AccessorID":"b780e702-98ce-521f-2e5f-c6b87de05b24", + "SecretID":"3f4a0fcd-7c42-773c-25db-2d31ba0c05fe", + "Name":"Bootstrap Token", + "Type":"management", + "Policies":null, + "Global":true, + "CreateTime":"2017-08-23T22:47:14.695408057Z", + "CreateIndex":7, + "ModifyIndex":7 +} +``` + +Once the initial bootstrap is performed, it _cannot be performed again_. Make sure to save this AccessorID and SecretID. +The bootstrap token is a `management` type token, meaning it can perform any operation. It should be used to setup the ACL policies and create additional ACL tokens. The bootstrap token can be deleted and is like any other token, so care should be taken to not revoke all management tokens. + +### Enable ACLs on Nomad Clients + +To enforce client endpoints, we need to enable ACLs on clients as well. This is simpler than servers, and we just need to set `enabled = true` in the [`acl` stanza](/docs/agent/configuration/acl.html). Once configured, we need to restart the client for the change. + + +### Set an Anonymous Policy (Optional) + +The ACL system uses a whitelist or default-deny model. This means by default no permissions are granted. +For clients making requests without ACL tokens, we may want to grant some basic level of access. This is done by setting rules +on the special "anonymous" policy. This policy is applied to any requests made without a token. + +To permit anonymous users to read, we can setup the following policy: + +```text +# Store our token secret ID +$ export NOMAD_TOKEN="BOOTSTRAP_SECRET_ID" + +# Write out the payload +$ cat > payload.json <